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Digital signatures are widely used in electronic communications to secure important tasks such 
as financial transactions, software updates, and legal contracts. The signature schemes that are 
in use today are based on public-key cryptography and derive their security from computational 
assumptions. However, it is possible to construct unconditionally secure signature protocols. In 
particular, using quantum communication, it is possible to construct signature schemes with security 
based on fundamental principles of quantum mechanics. Several quantum signature protocols have 
been proposed, but none of them has been explicitly generalised to more than three participants, 
and their security goals have not been formally defined. Here, we first extend the security definitions 
of Swanson and Stinson [T] so that they can apply also to the quantum case, and introduce a formal 
definition of transferability based on different verification levels. We then prove several properties 
that multiparty signature protocols with information-theoretic security - quantum or classical - 
must satisfy in order to achieve their security goals. We also express two existing quantum signature 
protocols with three parties in the security framework we have introduced. Finally, we generalize a 
quantum signature protocol given in [2] to the multiparty case, proving its security against forging, 
repudiation and non-transferability. Notably, this protocol can be implemented using any point-to- 
point quantum key distribution network and therefore is ready to be experimentally demonstrated. 


I. INTRODUCTION 


Digital signatures are important cryptographic building blocks which are widely used to provide security in electronic 
communications. They achieve three main cryptographic goals: authentication, non-repudiation, and transferability. 
These properties make them suitable for securing important tasks such as financial transactions, software updates, 
and legal contracts. The digital signatures schemes that are in use today, which are based on public-key cryptography, 
derive their security from unproven computational assumptions, and most of them - notably those based on the RSA 
algorithm or on elliptic curves - can be broken by quantum computers j3]. 

Consequently, from both a practical and fundamental perspective, there has been an interest in studying signature 
protocols that do not rely on computational assumptions, but instead offer information-theoretic security. These 
schemes were first introduced by Chaum and Roijakkers [4] and are known as unconditionally secure signature (USS) 
schemes. Besides the proposal of Chaum and Roijakkers, several other USS protocols have been suggested nnsHU], 
most of them based on removing standard trust assumptions from message authentication codes (MACs). However, 
most known classical USS protocols proposed so far rely on the assumption of either a trusted arbiter or authenticated 
broadcast channels, and crucially, all of them require the use of secure channels, which are impossible to realize, 
practically, with information-theoretic security using only classical communication mill]. 

Once quantum communication is allowed, it becomes possible to construct 1 signature schemes whose information- 
theoretic security is based on fundamental principles of quantum mechanics. These are known as quantum signature 
(QS) schemes. The first QS protocol was proposed by Gottesman and Chuang [TS], who introduced the main ideas 
for bringing digital signatures into the quantum world. Although influential from a fundamental point of view, their 
scheme requires the preparation of complex quantum states, performing quantum computation on these states and 
storing them in quantum memory, making the protocol highly impractical. This is also an issue for other protocols 
that appeared shortly after min]- 

Recently, new QS protocols that do not require a quantum memory and which can be realized with standard 
quantum-optical techniques have been proposed O [TSl [19]. Some of these protocols have also been demonstrated 
experimentally [201 [21], thus establishing their viability as a practical technology. A short review of these developments 
can be found in Ref. [22]. Nevertheless, these schemes have not been generalized to more than three participants, and 
their security goals have not been formally defined. Overall, a security framework for quantum signature schemes that 
includes rigorous definitions of security suitable for multiparty protocols has not yet been proposed. In the absence 
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of such a framework, it is not clear how to design secure multiparty protocols nor what the concrete advantages of 
quantum signatures are compared to their classical counterparts. 

In this work, we provide a security framework suitable for USS protocols involving an arbitrary number of par¬ 
ticipants. We follow the definitions by Swanson and Stinson generalizing them so that they can apply also to 
the quantum case, and introduce a formal definition of transferability based on different verification levels. We also 
present a characterization of the general structure of USS protocols and introduce rigorous definitions of security. 
Additionally, we prove several properties that these protocols must satisfy in order to achieve their security goals. We 
then express two existing protocols for quantum signatures with three parties within the framework we developed. 
Finally, we make use of our results to generalize a quantum protocol of Wallden et. al [2] to the multiparty case and 
prove its security against forging, repudiation and non-transferability. Notably, this protocol can be implemented 
using any point-to-point quantum key distribution network and therefore is ready to be experimentally demonstrated. 


II. DEFINITIONS FOR USS PROTOCOLS 


A QS protocol is carried out by a set of participants and is divided into two stages: the distribution stage and the 
messaging stage. The distribution stage is a quantum communication stage, where the parties exchange quantum and 
classical signals according to the rules of the protocol. Although in principle they could store the received quantum 
states in a quantum memory, we focus on more practical protocols in which the participants perform measurements on 
the states and store the outcomes in a classical memory. The participants may also process their data and communicate 
classically with each other. Overall, each participant is left with a set of rules for signing messages and for verifying 
signatures. These rules generally depend on their measurement outcomes and the classical communication. At the end 
of the distribution stage, the parties decide whether to continue to the messaging stage or to abort the protocol. In 
the messaging stage, one of the participants (the signer) signs a message by attaching a classical string (the signature) 
to the message. When a participant receives a signed message, they verify its validity according to the rules of the 
protocol. 

A USS protocol must achieve authenticity, non-repudiation, and transferability as its main security goals. Informally, 
these goals can be defined as follows: 

1. Authentication: Except with negligible probability, an adversary cannot create a message and signature pair 
that is accepted by another participant, i.e. a signature cannot be forged. 

2. Non-repudiation: Except with negligible probability, a signer cannot later successfully deny having signed a 
message that has been accepted by an honest recipient. 

3. Transferability: A recipient that accepts a signed message can be confident that, except with negligible proba¬ 
bility, the signature will also be accepted by other participants. 

In order to satisfy non-repudiation and transferability, each recipient must have a method of determining whether 
other participants will also agree on the validity of a signature. This is straightforward in classical public-key schemes, 
since every recipient applies the same rule to verify a signature. However, as we discuss later in this paper, in an 
information-theoretic scenario, every recipient must have a different rule to verify a signed message - or, at least, 
two participants must have the same verification algorithm with low probability^. Thus, a security model for USS 
schemes must deal carefully with the notion of non-repudiation and the transferability of signatures. 

We now generalize the work of Swanson and Stinson [1] in the context of USS schemes to construct formal definitions 
that are also suitable for quantum signature schemes and allow for different levels of verification. This will permit 
us to formalize the structure of general USS protocols, provide rigorous security definitions, and illustrate properties 
they must possess in order to be secure. 


^ Following Swanson and Stinson [J, with “verification algorithm”, we understand a full specification of the rules an individual participant 
is using to verify a message. For example, different recipients could use a more generic “verification function”, which is the same for all 
participants, but with random inputs which differ for different recipients. What we mean by the verification algorithm of an individual 
participant would, in this case, be the generic verification function together with that participant’s specific random inputs. This way of 
defining the recipients’ verification functions makes sense considering that a recipient might in this example know neither what what the 
underlying generic function is, nor what the random inputs are, only what the resulting combination of the generic verification function 
and random inputs is. This definition of verification function also makes sense for quantum signature protocols. 
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Definition 1. A USS protocol Q is an ordered set {7^, X, E, L, Gen, Sign, Ver} where: 

- The set V = {Pq, Pi,..., Pn-i}, is the set of N different participants involved in the protocol. We fix Pq to be 
the signer, and Pi are the possible recipients, with i S {1, • • • , N — 1}. X is the set of possible messages and E 
is the set of possible signatures. 

- Gen is the generation algorithm that gives rise to the functions Sign and Ver that are used to generate a signature 
and verify its validity. More precisely, the generation algorithm specifies the instructions for the quantum and 
classical communication that takes place in the distribution stage of the protocol. Additionally, the generation 
algorithm instructs how to construct the functions Sign and Ver based on the data obtained during the distribution 
stage. The generation algorithm includes the option of outputting an instruction to abort the protocol. 

- The signature function Sign is a deterministic function V —>■ E that takes a message x and outputs a signature 
cr S E. 

- L = { —1,0,1,..., Zmax} is the set of possible verification levels of a signed message. A verification level I 
corresponds to the minimum number of times that a signed message can be transferred sequentially to other 
recipients. For a given protocol, the maximum number of sequential transfers that can be guaranteed is denoted 
by ^max < iV - 1. 

- The verification function Ver is a deterministic function XxExT^xL—>■ {True, False} that takes a message x, 
a signature a, a participant Pi and a level I, and gives a truth value depending on whether participant Pi accepts 
the signature as valid at the verification level 1. We denote a verification function with a fixed participant Pi 
and level I as YeTiy{x,a) := Yeifx,a,i,l). 


In general, the generation algorithm must involve randomness in the construction of the signing and verification 
functions. The randomness may be generated locally by each participant or it can be generated and distributed 
by a trusted third party. It can arise from the intrinsic randomness of quantum measurements, or by other means. 
Therefore, even though the signing and verification functions are deterministic functions, they are randomly generated. 
An illustration of the distribution stage for a generic USS protocol can be seen in Fig. [l] 

The verification levels are a method of determining whether a signature can be transferred sequentially among 
participants. As an illustration, consider a protocol involving a signer Alice, a recipient Bob, and a bank. Other 
participants may be involved as well. Bob receives a payment from Alice which is signed using a USS protocol, and 
Bob wants to transfer this signed message to the bank. For Bob, it does not suffice to verify that the signature comes 
from Alice and that she cannot repudiate it - he also needs a guarantee that when he transfers the signed message 
to the bank, they will be able to validate it. Now suppose that the bank also requires the ability to transfer the 
message to another participant, otherwise they don’t accept the message. Then Bob needs a guarantee that it can 
be transferred twice in sequence, from himself to the bank and from the bank to another participant. In general, 
Bob may require that a signed message be transferred many times in sequence. This guarantee is provided by the 
verification levels: With high probability, a signature that is verified at level I can be transferred I times in sequence. 
A signature that is verihed at level / = 0 is certified to have come from the signer, but does not have a guarantee that 
it can be transferred to other participants. The role of the verification level Z = — 1 is to prevent repudiation, as will 
be explained in section [n| 

We now introduce additional useful definitions, which are inspired by Ref. [I] and generalized to allow different 
levels of verihcation. As a starting point, it is important that a USS protocol works properly when all parties are 
honest. 

Definition 2. A USS protocol Q is correct i/ Ver(i q(a;, Sign(x)) = True for all x,i,l. 

Since USS protocols have different verification functions for different participants as well as different levels of 
verification, it is important to carefully specify what it means for a particular signature to be valid. 

Definition 3. A signature a on a message x is authentic if cr = Sign(a:). 

Definition 4. A signature a on a message x is valid */ Ver(j q) (cc, cr) = True for all i S {1, • • • , N — 1}. 

Thus, a valid signature is simply one for which all participants can verify that it originates from the intended signer. 
Grucially, a valid signature does not need to be authentic, a possibility not originally considered in Ref. [T]. 
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FIG. 1: (A) Schematic portrayal of a possible generation algorithm in the distribution stage of a QS protocol with three 
participants. The three parties exchange messages over classical and quantum channels. At the end of their communication, 
the signer has a specification of the signing algorithm, and the recipients have a specification of their respective verification 
functions. (B) An example of a generation algorithm for one of the recipients. From their perspective, they receive a quantum 
state p and a classical message Yi from the other participants. A measurement Mr that depends on a random variable R is 
carried out on the quantum state, and the outcome Y 2 , together with the classical data Yi, is fed to an algorithm Gyi,Y 2 - This 
program outputs data Y 3 that, together with another possibly random variable S, is fed to a second algorithm C that determines 
the quantum and classical messages sent to the other participants. After several iterations of these steps, the program Gyi,Y 2 
outputs the verification function. 


Definition 5. A signature a on a message x is i-acceptable if\ei:(ifi){x,a) = True. 

Note that, as opposed to a valid signature, an f-acceptable signature may not pass the verification functions of 
participants other than Pi. Therefore, an i-acceptable signature may not be a valid signature. 

Definition 6. A signature a on a message x is z-fraudulent, if a is i-acceptable but not valid. 

As discussed before, the participants may additionally be interested in the transferability of the signature. This 
motivates the following definitions. 

Definition 7. A signature u on a message x is Z-transferable if Ver(j(cc, a) = True for all i G {1, ■ ■ ■ , N — 1} and 

there exists j such that Ver(j ;_|_i)(a;, a) = False. For I = l^ax, the function Ver(j cr) is not defined and we 

assume by convention that it is always False. 

The above definition means that a signature is /-transferable if I is the largest level for which this signature will 
pass the verification test of all participants. 

Definition 8. A signature a on a message x is (z,/)-transferable z/Ver^i p (a;, cr) = True one/Ver(i ;_|_i)(a;, ct) = False. 

Thus, an (z,/)-transferable signature will pass the verification test of participant z at level /, but not at any other 

higher level. As opposed to an /-transferable signature, it may not pass the verification functions of other participants. 


A. Dispute Resolution 


In traditional digital signature schemes based on public-key cryptography, there is a public verification function 
to test the validity of a signature. If a person denies having signed a message, the recipient who initially verified 
the signature can show it to other honest parties - a judge for example - who will use the same public verification 
function to certify its validity and therefore reject the signer’s claims. 

However, as we show in section |III[ in a USS scheme different participants have different verification functions, 
which makes it possible in principle for two or more participants to disagree on the validity of a signature. The 
mechanism to prevent repudiation must take this into account. Suppose that Alice signs a contract and sends it to 
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Bob, who uses his verification function to verify the signature. The signature passes his verification test at level I = 0 
and he is convinced that the message comes from Alice. Later, Alice attempts to repudiate by denying that she signed 
the contract. Bob knows that the other participants have different verification functions than his own, so what can be 
done to prevent Alice from repudiating? Non-repudiation is ensured by incorporating a dispute resolution method: a 
mechanism to handle the event of a disagreement on the validity of a signature. It is expected that dispute resolution 
will be invoked relatively rarely. It is akin to an appeal procedure which is very expensive for the participant who 
loses. Any participant (honest or dishonest), who thinks he might lose the dispute resolution, will avoid any action 
that could lead to someone invoking it. Therefore, while the dispute resolution may seem complicated and resource- 
expensive in terms of communication, is not something that affects the effectiveness of the protocol, since any rational 
participant, whether adversarial or honest, will always take actions that guarantee that any other rational participant 
would not invoke dispute resolution. Based on Ref. [T], we formally define such a dispute resolution method as follows. 

Definition 9. A dispute resolution method DR for a USS scheme Q is a procedure invoked whenever there is a 
disagreement on whether a signature a on a message x is a valid signature originating from the signer Pq. The 
participant invoking the dispute resolution can be anyone, including the signer Pq. The procedure consists of an 
algorithm DR that takes as input a message-signature pair {x, a) and outputs a value {Valid, Invalid} together with 
the rules: 

1. IfiyR.(x,a) outputs Valid, then all users must accept (x,cr) as a valid signature for x. 

2. IfT)Ii{x,a) outputs Invalid, then all users must reject (x,a) as a valid signature for x. 

Defining a particular dispute resolution method constitutes a crucial part of specifying a USS protocol. Whether 
a protocol is secure against repudiation will generally depend on the choice of dispute resolution. But what are the 
concrete possibilities that we can choose from? A simple strategy is to designate a trusted participant to be in charge 
of deciding the validity of a signature whenever the dispute resolution method is invoked. This participant, who may 
have access to more information about the protocol than others, serves as an arbiter who has the final word whenever 
there is a dispute. An obvious drawback of this choice is the necessity of trust: If the arbiter behaves dishonestly, 
perhaps due to being blackmailed to do so, the entire security of the protocol is compromised. In this paper, we focus 
on a majority vote dispute resolution method. 

Definition 10. When the validity of a message-signature pair {x, a) is invoked, a majority vote dispute resolution 
method MV(a;, cr) is defined by the following rule: 

1. MV(a;, a) = Valid */Ver(i _i)(x, tr) = True for more than half of the users. 

2. MV(a;,CT) = Invalid otherwise, 

where Ver(j is the verification function at level I = —I. 

The need for a verification level I = —1 can be understood as a mechanism to prevent repudiation by Alice, and 
it is only relevant when DR is invoked. Intuitively, Ver(i _i) should be chosen such that is infeasible to produce a 
signature that passes the verification function of one participant at level I = 0, but does not pass the verification 
function of the majority of participants at level I = —1. This will be formalized in section m 

The majority vote dispute resolution method was implicitly used in the protocols of [a[iE] when discussing security 
against repudiation. The obvious advantage of the majority vote method is that we do not need to trust any fixed 
participant, but instead assume only that at least most of them are not dishonest. However, we emphasize that the 
security definitions of the following section do not depend on a particular choice of DR. 

Note that a dispute resolution method can be used by any participant to convince others of the validity of a 
signature, even when the signature is only verified at level / = 0. If the protocol is secure against repudiation - as 
will be formally defined in the next section - then no person other than the signer will be able to create a signature 
that is deemed valid by the dispute resolution method. Therefore, if DR is invoked and outputs “Valid”, everyone is 
already convinced that the signature must have come from the signer. This means that the verification levels serve the 
specific purpose of providing the participants with an assurance that other people will sequentially verify a transferred 
signature without the need to invoke dispute resolution. This is desirable because carrying out dispute resolution may 
be expensive and should only be invoked under special circumstances. 

Finally, we also consider the case in which a participant is dishonest about the level at which they verify a signature. 
For instance, suppose that Bob wants to transfer a message regarding a payment by Alice, signed by Alice, to a store. 
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The store only accepts signatures that they can transfer to a bank, so Bob needs an assurance that Alice’s signature 
can be transferred twice in sequence. Bob verifies the signature at level I = 2 and sends it to the store. The store, 
however, is dishonest, and lies to Bob by claiming that they verified the signature only at level I = 0, even though Bob 
knows that they should have verified it at least at level ^ = 1. If the protocol is secure against repudiation. Bob can 
invoke dispute resolution to make everyone, including the bank, agree on the validity of the signature. But in order 
to resolve disputes regarding the verification level of a signature, we need an additional dispute resolution method. 

Definition 11. A transferability dispute resolution method at level I, TDR, for a QS scheme Q, consists of an 
algorithm DRi that takes as input a message-signature pair (x,a) and verification level I and outputs {/—transferable, 
not /—transferable} together with the rules: 

1. //DRi(a;, cr,/) outputs /—transferable, then all users must accept (x,cr) as an I-transferable signature for x. 

2. //DRi(a;, cr,/) outputs not /-transferable, then all users must reject (x,cr) as an I-transferable signature for x. 

For this form of dispute resolution method, we can also use a majority vote method defined as before. 

Definition 12. A majority vote transferability dispute resolution method at level /, MV(x, cr,/), is defined by the 
following rule: 

1. MV(a;,CT,/) = /—transferable if^QT:i^i i_i){x,(T) = True for more than half of the users. 

2. MY{x,a,l) = not /—transferable otherwise. 

If the protocol offers transferability, as will be formally defined in the next section, any participant who verifies a 
signature at level / has a guarantee that, with high probability, any other participant will verify the signature at level 
at least / — 1. Therefore, if the majority of participants are honest, a majority vote will indeed deem the signature that 
was verified at level / by an honest participant as an (/ — l)-transferable signature. This form of dispute resolution 
can serve as a deterrent for dishonest behaviour. In our previous example, the store is discouraged from lying to Bob 
as they know that a transferability dispute resolution can be used to detect their dishonesty, for which they can be 
penalized. 


B. Security definitions 


Previously, we introduced the security goals of USS schemes. We are now in a position to define them formally. 
More than one of the participants can be malevolent, so in general we must look at coalitions of participants that 
attack the scheme. In an attempt at repudiation, the coalition must include the signer, whereas a coalition aiming 
to forge a signature does not include the signer. Formally, we define successful cases of repudiation and forging as 
follows: 

Definition 13. Given a USS protocol Q and a coalition C C V of malevolent participants - including the signer Pq 
- that output a message-signature pair {x,a), we define repudiation to be the function: 


Repc{Q,DR,a,x) 


1 if (cr, x) is i-acceptable for some i ^ C and DR(ct, x) = Invalid 
0 otherwise 


( 1 ) 


Thus, a coalition succeeds at repudiation if they can produce a signature that passes the verification test of one 
of the honest participants at level / = 0, but when a DR is invoked, it will be decided that the signature is invalid. 
According to this definition, a malevolent signer may be able to repudiate with respect to some dispute resolution 
method, but not other methods. 

Definition 14. Given a USS protocol Q and a coalition of malevolent parties C C V - not including the signer Pq ~ 
that output a message-signature pair (x,a), we define forging to he the function: 


Forgc{Q,(T,x) 


1 if {a, x) is i-acceptable for some i ^ C 
0 otherwise 


( 2 ) 
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A successful forgery therefore only requires the coalition to create a signature that passes the verification test of 
one honest participant at level I = 0. Note that we could have additionally asked that the signature be deemed valid 
by the DR method, but that would constitute a more difficult task for the attackers. 

Definition 15. Given a USS protocol Q, a coalition of malevolent parties C C V - including the signer Pq - that 
output a message-signature pair (x,a), and a verification level I, we define non-transferability to he the function: 

{ 1 if x) = True for some i ^ C and x) = False 

for some 0 < I' < I and some j i, j ^ C (3) 

0 otherwise 


Therefore, a message-signature pair will be non-transferable at level I if the coalition can produce a signature that at 
least one honest participant verifies at level I, but some other honest participant does not verify at a lower level. Thus, 
if the signature is non-transferable, there exists a sequence of participants such that, as the signature is transferred 
in the order of the sequence, at least one of them will not agree that he can transfer the signature to the remaining 
participants. 

We can now state the main security definitions for USS protocols: 

Definition 16. Given a coalition C C V, a USS protocol Q is called e-secure against forging if, using their optimal 
strategy, the probability that the coalition outputs a message-signature pair {x, a) constituting a successful forgery 
satisfies 


Pr[Forgc{Q, a, x) = 1] < e, (4) 

where the probability is taken over any randomness in the generation algorithm and the optimal forging strategy. 

Definition 17. Given a coalition C C V and a dispute resolution method DR, a USS protocol Q is called e-secure 
against repudiation if, using their optimal strategy, the probability that the coalition outputs a message-signature pair 
(x, a) constituting successful repudiation satisfies 


Vv[Repc{Q,cr,x) = 1] < e, (5) 

where the probability is taken over any randomness in the generation algorithm and the optimal repudiation strategy. 

Definition 18. Given a coalition C C V, a USS protocol Q is called e-transferable at level I if, using their optimal 
strategy, the probability that the coalition outputs a non-transferable message-signature pair {x, a) at level I satisfies 


Fi[NonTransc{Q,cr,x,l) = 1] < e, (6) 

where the probability is taken over any randomness in the generation algorithm and the optimal cheating strategy. 

Note that the notion of transferability only makes sense between honest participants. As discussed before, even 
if the protocol is e-transferable, if a participant transfers a signed message to a dishonest participant, the dishonest 
person can always deny that they have an assurance of being able to transfer it further. In that case, a transferability 
dispute resolution method can be invoked at level 1. 

Finally, we note that the security definitions we have provided here can in principle be adapted or relaxed, depending 
on the particular scope of the protocol. For example, depending on the context, it may or may not be useful to be able 
to cheat with just any recipient, without knowing specifically who this is. For example, a forger may want a message 
to be accepted specifically by a bank, and it may be of no interest that the message is accepted by another unknown 
user out of many possible ones. Thus, schemes offering other types of security, such as sufficiently low probability for 
forging a message with a particular recipient, should not be completely ruled out. 



III. PROPERTIES OF USS PROTOCOLS. 


In this section, we examine several required properties of USS protocols. Understanding these properties is impor¬ 
tant for several reasons. First, they serve as guiding principles for the construction of new protocols. Additionally, 
from a fundamental point of view, they provide insight regarding precisely what characteristics of USS protocols give 
rise to their security. Finally, delineating these properties allows us to construct a coherent picture of the practical 
challenges to building these protocols as well as their advantages and limitations compared to signature schemes with 
computational security. In the remainder of this section, we list several of these properties and, whenever relevant, 
prove that they are required for the security of USS protocols. 

Observation 1. In any secure USS protocol, all classical communication must he authenticated. 

First, authentication is necessary as a guarantee that the participants of the protocol are who they are supposed 
to be. Otherwise, it would be possible for unauthorized outsiders to participate and compromise the security of 
the protocol, for example during dispute resolution. Moreover, just as with quantum key distribution, without 
authentication any USS protocol is subject to a man-in-the-middle-attack, where an attacker impersonates one or 
more participants, thus rendering the entire scheme insecure. Information-theoretic authentication requires shared 
secret keys, so the above observation implies that any secure USS protocol requires secret keys shared between the 
participants, of length proportional to the logarithm of the length of the messages sent . 

Observation 2. Ver(i_q(a::, cr) = True ^ Uer(i^;/)(x, tr) = True for all I' < 1. 

Since the verification level of a signature corresponds to the maximum number of times a signature can be trans¬ 
ferred, a signature that is verified at a given level should also be verified at all lower levels. 

We have mentioned before that in an information-theoretic scenario, it is necessary that each participant has a 
different verification function with high enough probability. We now show this explicitly, following Ref. [T]. 

Observation 3. JJjl For any USS protocol that is e-secure against forging, it most hold that 

Pr (Ver(i_q ^ Ver^-^q) < e (7) 

for all I and for all i ^ j ■ 

Proof. If Verq q = Ver(j q, then participant Pi can conduct an exhaustive search for a message-signature pair such 
that Verq cr) = True. But since Verq q = Ver(j q, participant Pi will also have produced a message-signature 
pair that passes the verification function of participant Pj. From observation if participant Pi can produce such 
a signature, he can also produce a signature such that Ver(j g) {x, cr) = True, which constitutes successful forging. 
Therefore, the verification functions must be different at all levels to guarantee security against forging. If the 
protocol is e-secure against forging, then this should only happen with probability smaller than e. □ 

Here we should remark that it is possible for probabilistic protocols, in particular quantum signature protocols, to 
have two participants with the same verification functions, but the probability of this happening must be made small 
enough for the protocol to be secure. Alternatively, one could consider other security models in which this condition 
is relaxed. For example, that two participants may have the same verification function with higher probability, but 
it is unlikely for a cheating party to know who might have the same function. More generally, as further discussed 
below, there will be conditions not only on the probability that two participants have the same verification function, 
but also that it should be hard for a participant to guess the verification function of another participant. 

Corollary 1. A secure USS protocol with a finite number of possible signatures can only exist for a finite number of 
participants. 

Proof. For a given verification level I and message x, a verification function for participant Pi is equivalent to the 
specification of a subset S' C E of signatures such that Yei(^i i'f {x, a) = True. Since the possible number of signatures 
is a finite set, so is the number of verification functions. From Observation!^ in any secure protocol, every participant 
must have a different verification function with high probability, and since there is only a finite number of these 
functions, there can only be a finite number of participants. □ 

In principle, one could add new participants to the protocol by using further communication between the new 
participant and the original ones. Essentially, in order to construct a protocol with -|- 1 participants from a 
protocol with N participants, the new participant could interact with all others in exactly the same way as if he had 
participated directly in a protocol with A -|- I participants. This interaction could happen at a later time than the 
original distribution stage. 
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Observation 4. The generation algorithm of a secure USS protocol must randomly generate the verification and 
signing functions. 

Proof. If all functions are generated deterministically, then the specification of the protocol is sufficient for every 
participant to know the signing function and all the verification functions. However, if a participant knows the signing 
algorithm, forging is trivial since he can produce authentic signatures. Similarly, if a participant knows the verification 
function of another person, he can conduct an exhaustive search to find a message-signature pair that is validated by 
the other participant, which constitutes a successful forgery. Finally, if a signer knows the verification function of the 
other participants, she can conduct an exhaustive search to find a signature that is accepted by one of them at level 
I, but rejected by everyone else at level I — 1, which allows her to repudiate or break transferability. Thus, a secure 
protocol requires a randomized generation algorithm. □ 

The randomness in the protocol may be produced locally by each participant, or it may be generated and distributed 
by a trusted third party. The randomness may arise from the intrinsic randomness of performing measurements on 
quantum systems, or by other means. Overall, from the point of view of each participant, the generation algorithm 
must induce a probability distribution over the possible signing functions as well as the possible verification func¬ 
tions. Therefore, the security of a USS protocol depends crucially on the difficulty of guessing the functions of other 
participants. We can formalize this requirement with the following observations. 

Observation 5. For a given message x, let Sc be the set of signatures that pass the verification functions at level 
I = 0 of all members of a coalition C. Similarly, let Si be the set of signatures that pass the verification function at 
level I — 0 of a participant Pi outside of the coalition. Then, for any USS protocol that is e-secure against forging, it 
must hold that 


——— < e for all i ^ C, (8) 

pel 

where |5| is the size of a set S and Si n Sc is intersection between Si and Sc- 

Proof. Let {x,ac) be a message-signature pair drawn uniformly at random from Sc- If this signature passes the 
verification function at level ^ = 0 of a participant outside of the coalition, it will constitute a successful forgery. The 
probability that this happens is given by , which must be smaller than e in order for the protocol to be e-secure 

against forging. □ 

An illustration of the above property can be seen in Figure Notice that if a protocol is correct, authentic 
signatures are verified by all participants. Therefore, for correct protocols it holds that Sc P Si 0. Similarly to the 
above, we can provide a condition for security against repudiation. 

Observation 6. For a given message x, let Si be the set of signatures that pass the verification function at level I = 0 
of a participant Pi outside of a coalition C, and let E be the set of all possible signatures for this message. Then, 
for any USS protocol that is e-secure against forging and e'-secure against repudiation with a majority vote dispute 
resolution, it must hold that 


|S| - I-e' 


(9) 


Proof. Let Cr be a signature drawn uniformly at random from the set E of possible signatures. The probability 
that the signer can repudiate with this signature is given by 

Pr(i?ep) = Pr[Ver(i_o)( 2 ^, Ur) = True AND MV(a;, (Tr) = Invalid] 

= Pr[MV(x, (Tj.) = Invalid|Ver(i o)(a;, Cr) = True] x Pr[Ver(i o)(a:^, = True]. (10) 

If CTr is drawn uniformly at random from E, conditioning on Cr passing the verification function of participant Pi 
induces a uniform distribution over the set Si. From observation]^ if the protocol is e-secure against forging, the 
probability that a signature drawn uniformly at random from Si passes the verification function of another honest 
participant must be smaller than or equal to e. Consequently, the probability that a signature drawn randomly from 
Si passes the verification function of the majority of participants must also be smaller than e, so we have that 


Pr[MV(a;, CTr) = Valid|Ver(i_o)(3^i oy) = True] < e 
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(A) (B) 




FIG. 2: Sc is the set of signatures that pass the verification functions at level I — 0 of all members of a coalition C. Si is the 
set of signatures that pass the verification function at level i = 0 of a participant Pi outside of a coalition. If the protocol is 
secure against repudiation, the intersection Sc n Si must be small compared to Sc- More generally, the coalition should not be 
able to guess what the verification functions of the other participants are, except with low enough probability. For example, if 
the protocol is secure against forging, the coalition should not be able to distinguish whether they are in situation (A) or (B). 


and therefore 

Pr[MV(a;, (Tr) = Invalid]Ver(i_o) ( 2 ;, 0 -^) = True] = 1 — Pr[MV(x, Cr) = Valid|Ver(j o)(x, = True] 

>l-e. (11) 

If the protocol is e'-secure against repudiation it must hold that Pr(rep) < e', which, using Eqs. (10) and © gives 
us 


> FT{rep) > (1 — e) Pr[Ver(^ q) ^r) = True] 


, |Ver(,,o)l / e' 

|S| -1-e’ 

where we have used the fact that Pr[Ver(i_o)( 2 ;, CTr) = True] = □ 

The size of the sets that pass the verification functions at different levels also plays an important role in permitting 
transferability. In fact, for a special class of USS protocols, such as the QS of Refs. [2l|T8l[T9], it is possible to provide 
conditions for these sets in order to achieve transferability and security against repudiation. These protocols, which 
we call bit-mismatch protocols, have the following properties. The set of possible signatures E is the set of all binary 
strings of n bits, i.e. S = {0, 1}^. For each possible message x, recipient Pi is given a random subset of positions pf 
of size K of the integers {1, 2,..., n}. The recipient also receives verification bits vf. Upon receiving a signature u, 
a recipient collects the bits of a at the positions corresponding to pf to form a shorter string which we call (7^. The 
verification functions are then given by 


Ver(i^i)(a;, cr) 


True if h{ai,vf) < siK 
False otherwise 


( 12 ) 


for some s; S [0, ^), which depends on the verification level I, and where h{vf,ai) is the Hamming distance between 
vf and cTi. 

Observation 7. For any correct bit-mismatch protocol which is transferable and secure against repudiation, with a 
majority-vote dispute resolution method, it must hold that si > si-i for all 1. 


Proof. Consider a cheating strategy by the signer in which she randomly flips each bit of the authentic signature 
Sign(a;) with probability p, leading to an altered signature a'. For each participant, the choice of p induces a 
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(A) 



(B) 



FIG. 3: For a given verification level I, a signer may produce a signature which, with non-negligible probability, passes the 
verification function at level I of participant Pi, but not of the other two participants at this same level. Such a signature is 
illustrated by a cross in the figure. Since more signatures are accepted at lower levels, when the other participants verify that 
same signature at level Z — 1, it now passes the verification function of all participants. This feature prevents repudiation and 
permits transferability. 


corresponding probability Qi^iijp) that the altered signature will pass their verification function at level 1. Since the 
protocol is correct, authentic signatures pass the verification functions of all participants at all levels, which implies 
that qi,i{0) = 1 and — 0 for all 1. The induced probability qi,i{p) is a continuous function of which implies 

that there must exist a value Pi such that, for some non-negligible (5 > 0, it holds that 

1/2-5 <g,,,(pr)< 1/2 (13) 


for all participants Pi. 


Now consider the case I = 0 and assume that sq < S-i- By choosing Pq for her cheating strategy, the signer 
can create a signature which a given participant accepts with a non-negligible probability greater than 1/2 — 5 and 
smaller than 1/2, according to Eq. (13). Moreover, since Sq < S-i, Eq. 0 implies that the probability that any 
other participant accepts the signature at level I = —1 must be smaller than 1/2. In that case, with non-negligible 
probability, the majority of participants will reject the signature during dispute resolution, where they check the 
signature at level Z = — 1. Therefore, such a protocol cannot be secure against repudiation. 


Similarly, for the case Z > 0, a dishonest signer can choose p* for her cheating strategy and have any given participant 
accept a signature at this level with probability at least 1/2 — 5. If s/ < Si_i, when the participant who accepts the 
signature at level Z transfers it to another person, the new participant will reject the signature at level Z — 1 with 
non-negligible probability greater than 1/2. Thus, such a protocol cannot offer transferability. □ 

Intuitively, the above proof states that the size of the set of signatures that pass the verification functions at a given 
level must increase for lower verification levels. This is illustrated in Eig. 

In the next section, we will examine previous QS protocols in light of our security framework. This will help 
illustrate our results with concrete examples as well as to showcase the importance of having a rigorous framework. 


IV. PREVIOUS PROTOCOLS 


Here we briefly mention how previous three-party quantum signature protocols fit in our security framework. In 
particular, we consider the protocol DWA of Ref. m and the first protocol P1-WDKA from Ref. [3]. The experimental 


2 


This probability distribution can be shown to be equal to the sum of two cumulative binomial distributions, which are continuous 
functions. 
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realisation in m is a variant of the DWA protocol. These two protocols do not require a quantum memory, and thus 
can be readily compared with classical USS schemes. 

In these protocols, we have three participants given by the set V = {To, ^’ 2 }- The set of possible messages 
is A = { 0 , 1 }, i.e. we are interested in signing single-bit messages. There is at most one dishonest participant. In 
the distribution stage, quantum states are exchanged and measured. At the end of this stage, the participants have 
obtained their verification algorithms. The set of possible signatures for the DWA protocol is E = { 0 , 1 }'^, while for 
Pl-WDKA it is E = { 0 , 1 , 2, 3}^, where K is the total length of the signature. 


A. DWA protocol |18| 


1. All the participants are connected by authenticated quantum channels and authenticated classical channels. 
The assumption of authenticated quantum channels means that the quantum messages which are transmitted 
are not altered during transmission. This can be guaranteed following a procedure similar to the parameter 
estimation phase of QKD |24) . 

2. For each message x G {0,1}, the signer Pq selects a string of bits cr^, uniformly at random. For each 0 in 
the string cr^ he prepares the coherent state |a) and for each 1 he prepares the coherent state |—a). He then 
generates this sequence of coherent states twice and sends one copy of this sequence to Pi and the other to P 2 . 

3. The recipients Pi,P 2 take their copies and pass them through an optical multiport (see [H] for details). The 
effect of this is the following. If all parties are honest, then they end up with the state Pq sent, while if there 
was any deviation on Pq’s side - for example Pq sending different quantum states to Pi and P 2 - then they 
end up with a symmetrised quantum state that is identical for both. This step is done to guarantee that the 
protocol is secure against repudiation. 

4. Finally, each of the recipients measures the received sequence of coherent states 0^, | using unambigu¬ 
ous state discrimination The result is that each of the recipients knows the correct bit value for the 

positions in which he obtains an unambiguous outcome. For participant i, we denote the bit string of outcomes 
as vf and the positions for which they obtain unambiguous outcomes as pf. The recipients have partial knowl¬ 
edge of the signature, but the sender does not know which bits are known to whom, and therefore he will not 
be able to repudiate. 

5. Each participant Pi defines the verification function for the signature cr^ as follows. First, they form a shorter 
string erf from (t“ by keeping only the bits corresponding to the positions pf for which they obtain unambiguous 
outcomes. The veriheation function of level I is then defined as 


Ver(,_q(a;,CT) 


True if h{af,vf) < siK 
False otherwise 


(14) 


where h{af,vf) is the Hamming distance between erf and vf, and s; is a fraction defined by the protocol. 
Therefore, this protocol is a bit-mismatch protocol, as defined in the previous section. In the original protocol, 
there were only two thresholds Sa and Sy] the first was used to verify whether a signature is transferable and the 
second to verify just the origin of the signature. In our notation, Sa = si and Sy = sq. These fractions satisfy 

So > Si. 

6. The signature function is given by Sign(a:) = ax- 

7. Dispute resolution was not explicitly dehned. However, it was implicit that a majority vote was to be used. 


Remarks about the security of this protocol will be made after we give the description of the second protocol, since 
they have several similarities. 


B. Pl-WDKA protocol 


1. All the participants are connected by authenticated quantum channels and authenticated classical channels. 
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2. For each message x € {0,1}, the signer Pq selects a string cr“ of numbers from {0,1, 2, 3}, uniformly at random. 
For 0 he prepares the qubit state |0), for 1 the state |+) = l/-\/2(|0) + |1)), for 2 the state |1) and for 3 the 
state |—) = l/-\/2(|0) — |1)). These are usually referred to as the BB84 states. He then generates this sequence 
of BB84 states twice and sends one copy of this string to Pi and the second copy to P 2 . 

3. For each qubit he receives, recipient Pi (P 2 ) randomly chooses whether to keep this state or forward it to 
-P 2 (-Pi)- The effect of this process is that each of the qubits which Pq sends may end up with either of the 
recipients. In other words, they have now symmetrized the quantum states they have, even if the sender Pg 
initially deviated and sent different signatures (t“ to each one of them. For each message x, participant Pi 
defines the set pf C {1,2,..., K} of positions for which they have a qubit. 

4. Each of the recipients measures the received BB84 qubits using unambiguous state elimination [5S1I21]. With 
this measurement, they never learn what state Pg sent - they only rule out one of the possible states. Therefore, 
for each position in pf for which they had a qubit, they obtain a set of at most two states that are ruled out. 
The set of states they did not rule out is the set of allowed states, denoted by C (0,1, 2, 3} for each position 
j in pf. Note that each has at least two allowed states but not more than three. We then define the set of 
j-perfect signatures as the set that contains all strings of symbols vf where the value of the string for each 
of the positions in pf is in the set Aj . Again, the recipients have partial knowledge of the signature cr“ and the 
sender Pg is not aware of exactly what this knowledge is or for which positions this information was obtained. 


5. Each participant P^ defines the verification function for the signature as follows. First, they form a shorter 
string af from cr^ by keeping only the bits corresponding to the positions pf for which they received qubits and 
thus have unambiguously ruled out states. The verification function for level I is then defined as 


Ver(i^q (x, cr) 


True if < SiAT 

False otherwise. 


(15) 


where h{crf,vf) is the Hamming distance between erf and vf, and the minimum is taken over all f-perfect 
signatures. The fraction si is again defined by the protocol. In the original protocol, there were two thresholds 
Sa and Sy; the first was used to verify whether a signature is transferable and the second to verify just the origin 
of the signature. In our notation, Sa = si and Sy = sg, with sg > si. 

6. The signature function is given by Sign(a:) = ax- 

7. Dispute resolution was not explicitly defined. However, it was implicit that a majority vote was to be used. 


The full security analysis of these protocols can be found in the original references. However, we here make a 
few remarks. First, we see that in a certain sense, these protocols are easier to analyse than general multiparty QS 
protocols because there is at most one dishonest participant. This significantly simplifies proofs for non-repudiation 
and transferability because the sender Pg cannot have colluding parties. As we will see in the multiparty protocol 
below, having the sender colluding with recipients can lead to having honest participants totally disagreeing on 
fractions of the signature, and extra care is needed to address such possibilities. 

Second, these protocols have a property that places strict demands on the noise level and imperfections in an 
implementation. The recipients Pi and P 2 receive the same sequence of quantum states. Since they hold a legitimate 
copy of the state received by the other recipient, they have partial information about the other participant’s verification 
algorithm. This makes it harder to guard against forging, to the point that security is only possible for low levels of 
noise and experimental imperfections. The security analysis is also complicated by the fact that the optimal forging 
attack depends on the states sent, e.g. on the amplitude a of the coherent states. 

In any case, the intuition behind the security of these protocols is still the same. Forging is not possible because in 
order to deceive a participant P 2 , the other participant Pi should correctly guess the bit value for at least a fraction 
Sy = Sg of the positions in which P 2 obtained an unambiguous outcome. Participant Pi can use her copy to make a 
best guess, but this guess is never perfect, while the unambiguous measurement gives a perfect result when it does 
give a result, and therefore a legitimate participant always has an advantage. Repudiation in the case of three parties 
is essentially the same as non-transferability, since the aim is to make one recipient accept at level I = 1 and the other 
reject at the lower level I — 0. The security against this is guaranteed by the fact that the two recipients symmetrize 
their records, and therefore, from the point of view of Pg, he cannot make the one accept a lower threshold and then 
the other reject a higher threshold. 

Finally, it is worth noting that, at the time Refs. m and [5] were written, the security framework we gave here 
did not exist. Therefore, the concept of dispute resolution and of the extra verification level I = —1 were not defined. 
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Strictly speaking, for the full security of those protocols, we should define a new level I = —1 with threshold s_i that 
obeys the condition that s_i > sq > si- This is another good example of how the framework introduced in this work 
can prove fruitful in making more accurate statements and even in improving existing protocols. 

In the next section, we use the security framework and properties developed so far to generalize the protocol P2- 
WDKA introduced in Ref. [5] to the case of many participants. We provide a full security proof against forging, 
repudiation and non-transferability. 


V. GENERALIZED P2-WDKA PROTOCOL 


In this protocol, which is a generalization of the protocol P2 of Ref. [5] , we have IV -|-1 participants given by the set 
V = {Pq, • • • , Pn}- The set of possible messages is A = {xi ,..., xm}, where there are M different possible messages. 
Additionally, S = {0,1}^ is the set of possible signatures, and K = nN is the length of the total signature, where n 
is an integer that depends on the required security parameters and is divisible by N. 

As in any cryptographic protocol, we will make some trust assumptions. In particular, we assume that the number 
of honest participants^ is at least h. We can then define the fraction of dishonest participants as d/ = 1 — h/N. The 
maximum verification level Imax is determined by the allowed fraction of dishonest participants, 

Gmax + l)d/ < 1/2. (16) 

The reason for this restriction will become clear later. The distribution stage of the protocol, which gives rise to the 
generation algorithm, proceeds as follows: 


1. All the participants use quantum key distribution links in order to establish pairwise secret keys. Each recipient 
needs to share a secret key of nM bits with the signer Pq and a secret key of 2^/^(I -|- [log 2 ri\) bits with each 
of the other recipients. 

2. For each possible message x € X, the signer selects a string of K = nN bits uniformly at random and divides 
it into N sections {crf,crf,... ,cr^}. The signer sends erf to participant Pi over a secure channel using their 
shared secret keys. 

3. For every possible message, each recipient randomly divides the set {1,2, ...,n} into N disjoint subsets 

and uses the bit values of erf at the randomly chosen positions pf ■ to form the string 

’ 

* j 

4. For all i ^ j, each participant Pi transmits the string vfj and the positions pfj to participant Pj over a secure 
channel using their shared secret keys. Participant Pi keeps vf^ and pi^i to herself. 

5. Each participant Pj defines a test for a section erf as follows. First, they form a shorter string erf^ from erf by 
keeping only the bits corresponding to the positions pfj. The test is then defined as 






1 if h{af j,vf j) < si§ 
0 otherwise 


(17) 


where h{af j,vf j) is the Hamming distance between erf^- and vfj and si is a fraction defined by the protocol. 
These fractions satisfy 


1 

- > s_i > So > Si > ••• > 


(18) 


6. The verification function is defined as 


Ver(i_i)(x, cr) 


True ifj:U^j,^,Mj)>Nfi 
False otherwise 


(19) 


We assume that the adversaries are static, i.e. the participants are either honest or dishonest for the entire duration of the protocol. 
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where fi is a threshold fraction given by 


/i — 2 + (^ + 1)'^/- (20) 

7. The signature function is given by Sign(a;) = 

8 . Majority vote is the dispute resolution method. 


The main steps of the distribution stage are illustrated in Fig. 


The verification function, in words, accepts at level I if there are more than a fraction fi of the sections 
{(Tj, erf,..., crj^} that pass the test of the ith participant. This choice of the fraction fi is made in order to sat¬ 
isfy a few constraints. First, we need the protocol for I = —1 to still require more than half of the tests to succeed, 
i.e. /_i > 1/2. Second, we want the difference of the thresholds between two levels to exceed the fraction of dishonest 
participants i.e. fi — fi-i > df. Finally, by noting that /; < 1 for all I, we determine the maximum value that I can 
take and this results in Eq. (16). 


In the protocol, there are two different types of thresholds, si and fi, both depending on the verification level 1. The 
first threshold, s/, determines whether a given part of the signature passes the test or not, by checking the number of 
mismatches at this part. The second threshold, fi, determines how many parts of the signature need to pass the test 
in order for the signature to be accepted at that level. 


An example of why different fractions for each verification level are needed is given by the following. Assume that 
one recipient, for example Pi, is a “spy” of an adversarial sender Pq, i.e. colludes with her in order to make two honest 
recipients P 2 and P 3 disagree on the validity of a signature. The spy can tell the sender the elements (ui 2 ,Pi, 2 ) and 
(vf 3 ,Pi,3)- The sender can then use this information to send a signature a' that differs from the ideal signature a 
only by flipping all the bit values at the positions determined by Pi, 3 . Recipient P 2 would accept the message, since 
he finds no errors. However, P 3 will find that all the bits of ui ^3 wrong, which will make his test fail. In general, if 
dfU dishonest participants exist, and if all of them are spies, two honest participants can differ by at most dfU tests. 
From Eq. (20), choosing fi — /;_i = dj allows the protocol to remain secure against this type of attack. 


Finally, note that the important information defining the verification functions can be encoded in an n x n matrix, 
which we call the verification matrix. Each element of this matrix is a collection of M pairs of strings 
The strings vfj have length of ^ bits, while the position records pfj have length ^ x [log 2 n] bits. Note that in vfj 
and pf the first index corresponds to the section af received by participant Pi, while the second index determines 
the other participant Pj with whom this string is shared. Importantly, it is not mandatory that these verification 
functions are constructed following the same steps as in the distribution stage outlined above. The security of the 
protocol relies only on the properties of the verification matrix and the value of other protocol parameters, which in 
principle may be generated by other means e.g. with the help of a trusted arbiter. 


If the participants were honest during the above distribution stage, we end up exactly with the outcome of the ideal 
generation algorithm, which gives rise to the desired verification and signing functions. The important thing to notice 
is that deviating in the distribution stage is equivalent to being honest at this stage, but deviating at a later stage of 
the protocol. The sender gains nothing by sending a different signature to the recipients during the distribution stage, 
since this is equivalent to sending the correct signature during the distribution stage, but then sending a different 
signature at a later stage. The same holds for an adversarial recipient who is in coalition with the sender. On the 
other hand, an adversarial recipient Pi who wishes to forge a message by deviating and giving different {vfj,Pij), is 
not improving his chances to forge, since in order to forge a signature for participant Pi for example, he will have to 
guess correctly the {vf i,pf i) and even if he is honest, he knows the {vf 2 TPi, 2 )- 

We now proceed to prove the security of this protocol. In the following, for simplicity, we will drop the superscript 
labelling the message x from vfj, pf j and and we will refer to participants by their index only, i.e. as i instead 

ofP,. 


A. Security proofs 


We will separately address the security of this protocol against forging, repudiation and non-transferability. We 
begin by noticing that the value of n must be chosen depending on other parameters and on the level of security. 
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FIG. 4: Illustration of the protocol with four participants. In part (A), the sender divides a randomly generated string 
into three sections cri,(Tf,(7f and sends each of them to the corresponding participant over a secure channel, using a secret 
key previously generated using quantum key distribution. The secret channels are represented by thicker coloured arrows. The 
other participants divide the sections they receive to produce the strings vfj alongside the corresponding positions pfj. In 
(B), the participants exchange the sections vfj of the signature and the positions Pij over secure channels. In the end, every 
participant keeps their original sections plus one additional section from each of the other participants, which they use for 
their verification functions. The sections in dashed boxes are known by the corresponding participant but are not used in the 
verification functions. 


In particular, we want the probabilities for forging, non-transferability, and repudiation to decrease exponentially 
fast with n. However, the number of participants N also enters the security expressions. To make sure that the all 
cheating probabilities go to zero even when the number of participants is very large, in general we require that 

n > (21) 

where a 3> 1 is a large positive constant and S a small positive constant. 

Forging. In order to forge, a coalition C which does not include the signer needs to output a message-signature 
pair (x, a) that is i-acceptable for some f ^ C. In general, according to our definitions, we consider forging successful 
if the coalition can deceive any honest participant, and not a fixed one. Here, for simplicity, we restrict attention 
to trying to deceive a fixed participant, and we will prove that this probability decays exponentially fast with the 
parameter n. At the end, we will extend this to the general case where the target is not a fixed participant. Therefore, 
for now, we fix the recipient that the coalition wants to deceive to be simply i. 

Recall that a signature a is i-acceptable if Ver(i q) ( 2 ;, cr) = True. By the definition of the verihcation functions of our 
protocol, this means that the coalition should output a signature cr such that participant i accepts N tests at level 
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zero, From Eq. (20), we have that Jq = ^ + df. By the definition of the protocol, the number of members 

in a coalition is at most Ndf. The coalition knows the pairs for all j S C, so they can use this knowledge 

to trivially pass Ndf tests. It follows that in order to forge, the coalition must pass at least iV(/o — df) = ^ tests 
out of the N{1 — df) tests that they do not have access to. The first step to compute the probability that they can 
do this is to calculate the probability of passing a single test for j ^ C. 


1. We denote the probability to pass a test at level / = 0 for a coalition with no access to the pair by pt- 

Because the strings ivij,Pij) were transferred over secure channels by honest recipients, they are completely 
unknown to the coalition and hence the probability of guessing correctly a single bit of Vij is exactly 1/2. In 
order to pass the test, the coalition needs to guess at least a fraction sq of bits out of a total of ^ bits. The 
probability that they can achieve this can be bounded using Hoeffding’s inequality as 


Pt < exp (-2(1/2 - , 


( 22 ) 


which decays exponentially with the number ^ provided that Sq < 1/2- Note that, from by Eq. (21), we know 
that this term decays exponentially even for iV —>■ oo. 

2. Now we will give a bound for the probability of forging against a fixed participant. This can be obtained by 
computing the probability of passing at least one of the unknown A^(l — df) tests, which is given by 


Pr(FixedForge) < 1 - (1 - « N{1 - df )pt 

< (1 - d/)7Vexp (-2(1/2 - so)^^) , 


(23) 


where we have used the fact that pt <C 1 in the approximation. Again, this probability goes to zero exponentially 
fast in the parameter n. Note also that, by Eq. (21), this expression goes to zero even for the case N —t oo, as 
the term with pt goes exponentially fast to zero while the other term grows only linearly in N. 

3. We have now computed the probability to deceive a fixed participant i. The total number of honest participants 
is N{1 — df) and for successful forging we require that any one of them is deceived. We therefore obtain 


Pr(Forge) = 1 - (1 - Pr(FixedForge))^(^"‘'^) < N‘^{1 - df) 2exp(-2(l/2-so)^^) ■ (24) 

Transferability. In order to break the transferability of the protocol, a coalition C which includes the signer Pq 
must generate a signature that is accepted by recipient i ^ C at level I, while rejected by another recipient j ^ C at 
a level I' < 1. To provide an upper bound, we allow for the biggest coalition C that includes Ndf participants, i.e. all 
the dishonest participants. For simplicity, again we will fix the participants whom the coalition is trying to deceive to 
be the *th and jth, while all the other honest participants are labelled with the index k. In general, according to our 
definitions, transferability fails if the coalition forms a signature that is not transferable for at least one pair of honest 
participants i, j. Therefore, we should take into account all possible pairs of honest participants. Here, we first focus 
on the case of a fixed pair of participants, and we give at the end the more general expressions. The members of the 
coalition C are labelled with the index c. 

We first give a sketch of the proof. The first step is to compute Pm,,/ • This is the probability that the tests 
corresponding to a part of the signature tr^ of an honest recipient k satisfy the following conditions: (i) The test 
Tkf,i of an honest recipient i at level I is passed and (ii) the test of another honest recipient j at a level I' < I 

is failed. The second step of the proof is to prove that in order for non-transferability to be successful, there must 
be at least one test corresponding to an honest participant which the two recipients i and j disagree on. The third 
step is to combine the previous two steps to provide a bound for the probability of non-transferability for a fixed pair 
of recipients. Finally, we can use the previous results to bound the probability of non-transferability for any pair of 
honest recipients. 


1. First, we compute Pm ^which is the probability that the fcth test ^ ^ of an honest recipient i at level I is 
accepted and the test Tj^j of another honest recipient j at a level I' < I is rejected. The relevant part of the 
signature is ^ where k is an honest recipient. The two parts of the verification matrix that are relevant are 
{vk,i,Pk,i) and {vk,j,Pk,j)- Since the sender is in the coalition, they know the values of all the sections Vij, but 
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they are completely ignorant of the positions pk,i and Pk,j, since participants k,i and j are all honest. The 
coalition can decide to send signatures in such a way that they introduce an average fraction of mistakes Pe 
compared to the ideal signature that was used to generate the verification algorithms. Thus, the average fraction 
of mistakes is under their control. Since the protocol is symmetric for all participants, this average fraction of 
mistakes will be the same for all honest participants and in particular for both i and j. 

To compute a bound on the joint probability of i accepting at level I and j rejecting at level I — 1 we will consider 

Pnii i, = Pr (* accepts at level I AND j rejects at level I') 

< min{Pr (i accepts at level 1 ), Pr (j rejects at level I')}. (25) 

The probability of passing the test at level I with an average error pe can be bounded using Hoeffding’s inequali¬ 
ties to be below exp (—2(pe — This is the case since the expected number of mistakes are ^Pe while the 

mistakes that are tolerated for acceptance are ^si. We note that this expression holds for pe > si. However, as 
we will see, for pe < si the probability for the participant rejecting at level V < I will be even smaller, and since 
for our bound we consider the minimum of those two probabilities, we can assume that Pe > si. 

The probability of failing the test at level I' with average errors Pe can similarly be bounded to be smaller 
than exp (—2(s;' — Pe)^^). This is since the expected mistakes are ^Pe while the mistakes needed to fail are 
more than si'^. We note, that this expression holds for p^ < Sii. However, as we have seen, for pe > si>, the 
probability for the participant accepting at level I will be even smaller (recall si < sp), and since for our bound 
we consider the minimum of those two probabilities, we can assume that Pe < sii. 

Therefore, the coalition must choose a value of Pe satisfying 


Si <Pe < Sl-i. 


(26) 


Since we are taking the minimum over both cases, the best choice for the coalition is to have both probabilities 
coincide. This is achieved by using a fraction of errors Pe = (sz -I- s;_i)/2 and in that case we obtain the bound 


Pm,,, < exp 


{si> - sz )2 n \ 

2 NJ 


(27) 


which decays exponentially with ^ and it also depends on the difference (s;/ — si). 

2. It is trivial for the coalition to make two recipients disagree in any way they wish for the results of a test that 
involves a member of the coalition, i.e. they can make ^ and ^ take any values they wish. However, the 
number of those tests are at most Ndf, which is the maximum number of members in the coalition. 

For the participant i to accept a message at level I, he needs a fraction greater than /; of the tests to pass at 
this level. On the other hand, for the participant j to reject the message at level I', a fraction greater than 
1 — f'l of tests must fail at this level. Therefore, even taking the best case for the coalition, which is I' = I — 1, 
since it holds that /; = //_i + df, in order for the non-transferability to be successful, the honest participants i 
and j need to disagree on at least Nd / + 1 tests. As we saw, the coalition can easily make them disagree on the 
Ndf tests originating from them, but the participants i and j still have to disagree on at least one more test 
originating from an honest participant. 

3. In order for the coalition to successfully cheat, the number of tests that pass for the ith recipient must be at least 
N fi -I- 1. Out of those tests we can assume that Ndf were due to the coalition, but there are still N{fi — df) -|- I 
tests that the coalition does not have access to. In order for the non-transferability to be successful, at least one 
of these N{fi — df) + 1 tests should fail for participant j at level I' = I — 1. The probability that they agree in 
all of them is (1 — Pm, )^(h-d/)-i-i and therefore the probability for fixed non-transferability can be bounded 
as 


Pr(FixedNonTrans) < I - (1 -pm, )^(h-d/)-si 

« [N{fi-df) + l]pm,_,, 

< [N{fi - df) + 1] exp ^ +Oipl,^ ^,). (28) 


This goes to zero exponentially with Note that the first term scales linearly in N, but ,, decays expo¬ 
nentially with therefore with the choice of Eq. (21) this probability also vanishes at all limits of interest. 
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4. Finally, we should consider the general case, where the participants i,j are not fixed. Again, we can see that 
because the probability for fixed parties decays exponentially in the parameter n, the protocol remains secure. 
The number of honest pairs of participants is [A^(l — d/)][A^(l — df) — l]/2 := A"p, so we obtain 

Pr(NonTrans) = 1 — (1 — Pr(FixedNonTrans))^'’ « 0{N^) exp • (29) 

Non-repudiation. In order to repudiate, a coalition C including the sender Pq generates an ^-acceptable signature 
for some i ^ C, where invoking the dispute resolution DR results in Invalid. This means that the coalition wants to 
make any participant accept a signature at level I — 0, but then have the majority of participants to reject the same 
signature at level I = —1. We can actually reduce this problem to the special case of non-transferability from level 
Z = 0 to level Z = — 1 in the following three steps. 


1. We first find the probability of non-transferability for a fixed pair of participants, i.e. from a fixed honest 
participant i at level Z = 0 to another fixed honest participant j at level Z = — 1. We denote this probability by 
Pi and, as found before, it can be bounded by 

Pi ^ Wifo - df) + l]pmo,-^ < exp ^ , (30) 


where we have used the fact that {fo — df) = ^ from Eq. (20 1 . 


2. The second step is to note the following. For a fixed recipient i to accept at Z = 0, it means that at least 
^fo + 1 = -^(| +d,f) + 1 parts of his signature were accepted. Out of these, + 1 must have come from honest 
participants. Now, each of those honest participants that sent i a part that passed his tests also sent the other 
honest participants sections which, with probability 1 — pi, pass their tests at level Z = — 1. For a message to be 
declared invalid in the dispute resolution DR, half of the participants have to reject. However, at least "j + 1 
are unlikely to reject, since the probability that they do reject is pi, which can be made arbitrarily small. In 
other words, for the DR to give Invalid, at least one of the honest participants needs to fail the transferability 
for a fixed pair of participants. 


3. It is now clear that if no fixed pair of honest participants i,j fails the transferability for levels Z = 0 to Z = —1, 
then the coalition cannot repudiate. This leads to the following bound for the probability of repudiation. 


Pr(Rep) < 1 - (1 -pi)^''*’ « Nppi + 0{pi) 


< 0{N^) exp - 


(s_i - so)^ n 
2 N 


(31) 


where Np as before is the number of honest pairs [N{1 — d/)][N(l — df) — l]/2 and pi decays exponentially with 

n 

N- 


We have seen that all security parameters, from Eqs. 


provided correct choices of si and fi are made. As stressed before, by Eq. 
go to zero even if the number of participants N goes to infinity. 


( |23| , ( |28[ ) and ([^), go to zero exponentially fast with 

( 211 , we also know that these parameters 


Secure channels from QKD. Security proofs for quantum key distribution (QKD) rely on the assumption that 
the parties wishing to exchange a secret key behave honestly. In the context of our multiparty protocol for quantum 
signature schemes, this assumption does not hold, since some of the participants performing QKD may be dishonest. 
However, we can show that this does not present a problem for the security of our protocol in three steps. Similar 
arguments are made in |24j . 


Step 1: Only honest-dishonest QKD links may be affected. The first observation is that dishonest behaviour during 
QKD may only be an issue when the QKD link connects an honest participant with a dishonest one. Eor two honest 
participants, standard QKD security proofs apply, so we are not concerned with this scenario. Eor the case of two 
dishonest participants, since all members of the coalition have access to the same information - as is assumed in our 
security definitions - it is irrelevant whether they behave honestly during QKD. Similarly, honest participants do not 
eavesdrop on dishonest participants, so there are no consequences to the security of the QS protocol. 


In the following two steps we will show that for the case of an honest and a dishonest participant using QKD 
to establish a shared secret key, any adversarial behaviour during the QKD stage of the protocol is equivalent to a 
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dishonest behaviour in subsequent parts of the protocol. Therefore, we can assume that the participants were honest 
during the QKD stage and examine all possible deviations for later stages of the protocol. 

Step 2: No-gain from leaking information. At the end of a QKD protocol, an honest participant Pi holds a key 
register X which, in the ideal case, is identical to the string Y of the other participant Pc and is completely unknown 
to any other party. This means that any dishonest behaviour by participant Pc can only lead to two possible outcomes: 
(i) The registers X and Y are not identical, or (ii) X is correlated with the register of another party. Since we assume 
that all dishonest participants are in coalition, all of them have perfect knowledge of the register F, so there is no 
need to eavesdrop information about this string. They of course benefit from knowledge of X, but they can have 
perfect knowledge of X simply if Pc behaves honestly during QKD. Therefore, leakage of information does not help 
the adversarial coalition. 

Step 3: No-gain from imperfect keys. Similarly, if there are mismatches between the registers X and Y, any message 
which is transmitted secretly by using a one-time pad with either A or F will be received with errors in all positions 
in which X and F differ. However, if F is used by Pc to transmit a message to the honest participant Pi, the situation 
is exactly equivalent to one in which they have identical secret keys, but Pc decided to introduce errors in the message 
sent to Pi. Similarly, if Pi is the one sending the message, the situation is equivalent to the keys being identical but 
participant Pc introducing errors after receiving the message. In fact, since in order to cheat, the coalition needs to 
know the verification function of the honest participants, their optimal strategy is to be honest during the QKD stage 
and have a perfect copy of the other participants’ secret keys. Therefore, the security of QKD is only relevant in a 
quantum signature scheme in order to protect honest participants who want to establish a secret key. It is precisely 
in this regime that standard QKD proofs apply. 


VI. DISCUSSION 


In this work, we have provided a full security framework for quantum signature schemes. We have generalized 
the security definitions of Swanson and Stinson [T] to allow for quantum schemes and different levels of verification. 
Additionally, we have proven several properties that USS protocols, quantum or classical, must satisfy in order to 
achieve their security goals. Together, these results form a powerful set of tools to be employed in the understanding 
and development of improved protocols in a general setting. 

In fact, we have done just that by using our security framework to generalize the P2-WDKA protocol of Wallden 
et. al [2] to the multiparty case. This protocol is secure against forging, repudiation, and non-transferability, relying 
on minimal security assumptions. Interestingly, the quantum-mechanical features responsible for the security of the 
protocol can be completely outsourced to quantum key distribution (QKD), where a vast literature of sophisticated 
security proofs already exists. This feature also addresses the issue of authentication in quantum signature schemes: 
we can simply use QKD to generate new secret keys to be used in the authentication of future instances of a signature 
protocol. Finally, since this protocol can be implemented using any point-to-point QKD network, it is already 
practical, making experimental demonstrations in the short-term future a real and exciting possibility. 

As a consequence of our results and those of Ref. [2] , the status of unconditionally secure signature schemes should 
be considered analogous to that of secure communication, where a classical protocol - the one time-pad - already 
exists and can guarantee information-theoretic security at the expense of shared secret keys. Quantum communication 
can then be used to establish these secret keys via unsecured quantum channels. Similarly, for signature schemes, 
there exist classical protocols - such as our generalized P2-WDKA protocol - which provide information-theoretic 
security at the expense of shared secret keys. Remarkably, even in the setting where parties are dishonest, quantum 
key distribution can be used to establish the secret keys. Overall, we can now understand unconditionally secure 
signature schemes as a practical application of quantum key distribution. Future work can focus on optimizing these 
classical protocols, for example in reducing the length of the secret keys that need to be exchanged as a function of the 
message size. Additionally, it is important to continue to study protocols where quantum communication can be used 
to construct quantum signature schemes without the need to distil a secret key. Those schemes could offer advantages 
in terms of scalability, or in terms of extending the distance between parties, and thus be proven more useful in this 
respect. For example. Ref. [21] discusses how such “direct quantum” signature schemes may be practical even if the 
quantum bit error rate is too high to allow the distillation of a secure key. 
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